Merge "Fix Secure RBAC policies for Containers API"
This commit is contained in:
Zuul
Gerrit Code Review
commit
708b00d340
@ -10,21 +10,63 @@
|
|||||||
# License for the specific language governing permissions and limitations
|
# License for the specific language governing permissions and limitations
|
||||||
# under the License.
|
# under the License.
|
||||||
|
|
||||||
|
from oslo_log import versionutils
|
||||||
from oslo_policy import policy
|
from oslo_policy import policy
|
||||||
|
|
||||||
|
from barbican.common.policies import base
|
||||||
|
|
||||||
_READER = "role:reader"
|
|
||||||
_MEMBER = "role:member"
|
deprecated_containers_post = policy.DeprecatedRule(
|
||||||
_ADMIN = "role:admin"
|
name='containers:post',
|
||||||
_PROJECT_MEMBER = f"{_MEMBER} and project_id:%(target.container.project_id)s"
|
check_str='rule:admin_or_creator',
|
||||||
_PROJECT_ADMIN = f"{_ADMIN} and project_id:%(target.container.project_id)s"
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
_CONTAINER_CREATOR = "user_id:%(target.container.creator_id)s"
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
_CONTAINER_IS_NOT_PRIVATE = "True:%(target.container.read_project_access)s"
|
)
|
||||||
|
deprecated_containers_get = policy.DeprecatedRule(
|
||||||
|
name='containers:get',
|
||||||
|
check_str='rule:all_but_audit',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_container_get = policy.DeprecatedRule(
|
||||||
|
name='container:get',
|
||||||
|
check_str='rule:container_non_private_read or ' +
|
||||||
|
'rule:container_project_creator or ' +
|
||||||
|
'rule:container_project_admin or ' +
|
||||||
|
'rule:container_acl_read',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_container_delete = policy.DeprecatedRule(
|
||||||
|
name='container:delete',
|
||||||
|
check_str='rule:container_project_admin or ' +
|
||||||
|
'rule:container_project_creator',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_container_secret_post = policy.DeprecatedRule(
|
||||||
|
name='container_secret:post',
|
||||||
|
check_str='rule:container_project_admin or ' +
|
||||||
|
'rule:container_project_creator or ' +
|
||||||
|
'rule:container_project_creator_role and ' +
|
||||||
|
'rule:container_non_private_read',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
deprecated_container_secret_delete = policy.DeprecatedRule(
|
||||||
|
name='container_secret:delete',
|
||||||
|
check_str='rule:container_project_admin or ' +
|
||||||
|
'rule:container_project_creator or ' +
|
||||||
|
'rule:container_project_creator_role and ' +
|
||||||
|
'rule:container_non_private_read',
|
||||||
|
deprecated_reason=base.LEGACY_POLICY_DEPRECATION,
|
||||||
|
deprecated_since=versionutils.deprecated.WALLABY
|
||||||
|
)
|
||||||
|
|
||||||
rules = [
|
rules = [
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='containers:post',
|
name='containers:post',
|
||||||
check_str=f"rule:admin_or_creator or {_MEMBER}",
|
check_str='True:%(enforce_new_defaults)s and role:member',
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Creates a container.',
|
description='Creates a container.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -32,11 +74,12 @@ rules = [
|
|||||||
'path': '/v1/containers',
|
'path': '/v1/containers',
|
||||||
'method': 'POST'
|
'method': 'POST'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_containers_post
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='containers:get',
|
name='containers:get',
|
||||||
check_str=f"rule:all_but_audit or {_MEMBER}",
|
check_str='True:%(enforce_new_defaults)s and role:member',
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Lists a projects containers.',
|
description='Lists a projects containers.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -44,16 +87,18 @@ rules = [
|
|||||||
'path': '/v1/containers',
|
'path': '/v1/containers',
|
||||||
'method': 'GET'
|
'method': 'GET'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_containers_get
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='container:get',
|
name='container:get',
|
||||||
check_str='rule:container_non_private_read or ' +
|
check_str=(
|
||||||
'rule:container_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:container_project_admin or ' +
|
'(rule:container_project_admin or '
|
||||||
'rule:container_acl_read or ' +
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
'(rule:container_project_member and '
|
||||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
' rule:container_is_not_private) or '
|
||||||
|
'rule:container_acl_read)'),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Retrieves a single container.',
|
description='Retrieves a single container.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -61,14 +106,17 @@ rules = [
|
|||||||
'path': '/v1/containers/{container-id}',
|
'path': '/v1/containers/{container-id}',
|
||||||
'method': 'GET'
|
'method': 'GET'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_container_get
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='container:delete',
|
name='container:delete',
|
||||||
check_str='rule:container_project_admin or ' +
|
check_str=(
|
||||||
'rule:container_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
'(rule:container_project_admin or '
|
||||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
|
'(rule:container_project_member and '
|
||||||
|
' rule:container_is_not_private))'),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Deletes a container.',
|
description='Deletes a container.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -76,16 +124,17 @@ rules = [
|
|||||||
'path': '/v1/containers/{uuid}',
|
'path': '/v1/containers/{uuid}',
|
||||||
'method': 'DELETE'
|
'method': 'DELETE'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_container_delete
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='container_secret:post',
|
name='container_secret:post',
|
||||||
check_str='rule:container_project_admin or ' +
|
check_str=(
|
||||||
'rule:container_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:container_project_creator_role and ' +
|
'(rule:container_project_admin or '
|
||||||
'rule:container_non_private_read or ' +
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
'(rule:container_project_member and '
|
||||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
' rule:container_is_not_private))'),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Add a secret to an existing container.',
|
description='Add a secret to an existing container.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -93,16 +142,17 @@ rules = [
|
|||||||
'path': '/v1/containers/{container-id}/secrets',
|
'path': '/v1/containers/{container-id}/secrets',
|
||||||
'method': 'POST'
|
'method': 'POST'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_container_secret_post
|
||||||
),
|
),
|
||||||
policy.DocumentedRuleDefault(
|
policy.DocumentedRuleDefault(
|
||||||
name='container_secret:delete',
|
name='container_secret:delete',
|
||||||
check_str='rule:container_project_admin or ' +
|
check_str=(
|
||||||
'rule:container_project_creator or ' +
|
'True:%(enforce_new_defaults)s and '
|
||||||
'rule:container_project_creator_role and ' +
|
'(rule:container_project_admin or '
|
||||||
'rule:container_non_private_read or ' +
|
'(rule:container_project_member and rule:container_owner) or '
|
||||||
f"({_PROJECT_MEMBER} and ({_CONTAINER_CREATOR} or " +
|
'(rule:container_project_member and '
|
||||||
f"{_CONTAINER_IS_NOT_PRIVATE})) or {_PROJECT_ADMIN}",
|
' rule:container_is_not_private))'),
|
||||||
scope_types=['project'],
|
scope_types=['project'],
|
||||||
description='Remove a secret from a container.',
|
description='Remove a secret from a container.',
|
||||||
operations=[
|
operations=[
|
||||||
@ -110,7 +160,8 @@ rules = [
|
|||||||
'path': '/v1/containers/{container-id}/secrets/{secret-id}',
|
'path': '/v1/containers/{container-id}/secrets/{secret-id}',
|
||||||
'method': 'DELETE'
|
'method': 'DELETE'
|
||||||
}
|
}
|
||||||
]
|
],
|
||||||
|
deprecated_rule=deprecated_container_secret_delete
|
||||||
),
|
),
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user